Attendee-List:
Agenda
Video:
Today's topic:
- Marek Szwałkiewicz Try to establish an ArgoCD deployment to provide an alternative the helm deloyment
- in oom chart provide directory for ArgoCD application definitions
- Will be used in Gating/Daily Pipelines
- TSC accepted ONAP component disabling: OOM New Delhi Release
- Update healthchecks https://gerrit.onap.org/r/c/testsuite/+/138386 → need to release it
- (TBD) smoke tests to exclude component related tests
- Patches:
- UUI https://gerrit.onap.org/r/c/oom/+/138260?usp=search
- Update done, Gatingstarted
- Make ONAP production ready, Epic:
-
OOM-3288Getting issue details...
STATUS
- Charts have host paths mounted (etc. /etc/localtime), which conflicts with common policies (at least in DT)
- we need to check the OOM charts and remove these paths, if possible
- e.g. https://gerrit.onap.org/r/c/oom/+/137479?usp=search (AAI)
- Removed entries: https://gerrit.onap.org/r/c/oom/+/137689?usp=search
- Kyverno Policy Patches
- https://gerrit.onap.org/r/c/oom/+/138496 →
- "common" chart → More to come
- POLICY: https://gerrit.onap.org/r/c/oom/+/138587?usp=search, some fix is needed for xacml-pdp
- ...
- Charts have host paths mounted (etc. /etc/localtime), which conflicts with common policies (at least in DT)
- Keycloak/Oauth2Proxy/Realm
- Configurable REALM and AuthorizationPolicies:
-
OOM-3292Getting issue details...
STATUS
- Patch merged in New Dehli: https://gerrit.onap.org/r/c/oom/+/137736
- Currently testing and enhancing in DT
- new patch (https://gerrit.onap.org/r/c/oom/+/138498?usp=search) → gating OK → need to be submitted
- Configurable REALM and AuthorizationPolicies:
-
OOM-3292Getting issue details...
STATUS
- UUI https://gerrit.onap.org/r/c/oom/+/138260?usp=search
- Logging improvement proposal (TCL) Mateusz Pilat
- All components have to log to STDOUT
- They should use a common format (JSON struct) with defined attributes (example: https://git.onap.org/oom/tree/kubernetes/cps/components/cps-core/resources/config/logback-spring.xml)
- A list will be provided for the required changes in components
- Presentation next week in the TSC
- Hardening Istio with SPIRE/SPIFFE (https://blog.spiffe.io/hardening-istio-security-with-spire-d2f4f98f7a63) → need to check within DT
Used in Nephio- see https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_31
- FYI, Service Mesh + SPIFFE infrastructure ongoing study in Nephio, Study: Nephio security collaboration study
- There is a separate study in Nephio for workload registration and workload/node attestation, https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2c18d699447_0_40
- https://docs.google.com/document/d/1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1/edit?pli=1#heading=h.nzahaii2p80p
- https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2bd96dea01c_0_1
- Tata (ematpil ) install ONAP Montreal/London and made improvements
- will show improvements Tata did and might contribute to OOM
- Presentation shown: (Platform Customization-oom v2.pptx) .
- → Enhancements proposed:
- Security enhancements (e.g. Keycloak/OAuthProxy, AuthorizationPolicy,...) eg: authentication.tar, oauth2 +KC research: rbac_research_wrap.pdf
- Logging enhancements,...
Others:
- Change "bash" to "sh"
- https://gerrit.onap.org/r/q/topic:bashisms
- Started by Orange, but not finished
- Describe ONAP component deployment via ArgoCD
- create "Application" config dir in oom repo ?
Open Jira issues:
T | Key | Summary | Assignee | Reporter | P | Status | Resolution | Created | Updated | Due |
---|---|---|---|---|---|---|---|---|---|---|
OOM-3172 | [Common] rendering issue of template "common.nginxIngress" | Alexander Dehn | Alexander Dehn | In Progress | Unresolved | Apr 27, 2023 | Apr 27, 2023 | |||
OOM-3171 | service-mesh-wait-for-job-container fails, when no sidecar exists | Andreas Geissler | Andreas Geissler | Open | Unresolved | Apr 27, 2023 | Apr 27, 2023 | |||
OOM-3170 | [SDNC] Support kafka native interface | Alexander Dehn | Alexander Dehn | In Progress | Unresolved | Apr 25, 2023 | Apr 26, 2023 | |||
OOM-3169 | For SDNC setup consider new Websocketport | Alexander Dehn | Herbert Eiselt | In Progress | Unresolved | Apr 24, 2023 | Apr 27, 2023 | |||
OOM-3168 | Introduce cassandra-operator to OOM | Andreas Geissler | Andreas Geissler | Open | Unresolved | Apr 24, 2023 | Apr 24, 2023 | |||
OOM-3167 | DOC: change the plugin installation instructions | Marek Szwałkiewicz | Marek Szwałkiewicz | Open | Unresolved | Apr 24, 2023 | Apr 24, 2023 | |||
OOM-3166 | Kiali Validation - KIA0601 - Port name must follow [-suffix] form | Fiete Ostkamp | Fiete Ostkamp | In Progress | Unresolved | Apr 19, 2023 | Apr 19, 2023 | |||
OOM-3165 | Policy-gui Ingress target is wrong | Andreas Geissler | Andreas Geissler | Open | Unresolved | Apr 19, 2023 | Apr 19, 2023 | |||
OOM-3162 | Update Strimzi Operator to 0.34.0 and Kafka to 3.4.3 | Fiachra Corcoran | Andreas Geissler | Open | Unresolved | Apr 13, 2023 | Apr 13, 2023 | |||
OOM-3161 | [COMMON] Add monitoring to postgres | Miroslav Masaryk | Miroslav Masaryk | Open | Unresolved | Apr 12, 2023 | Apr 13, 2023 | |||
OOM-3159 | Update OOM documentation | Andreas Geissler | Andreas Geissler | Open | Unresolved | Mar 31, 2023 | Apr 13, 2023 | |||
OOM-3155 | Review license scan issues | Andreas Geissler | David McBride | In Progress | Unresolved | Mar 30, 2023 | Apr 26, 2023 | |||
OOM-3153 | Feature Freeze | Andreas Geissler | David McBride | Open | Unresolved | Mar 30, 2023 | Mar 30, 2023 | Mar 23, 2023 | ||
OOM-3151 | Improve stability in Daily Master Deployments | Andreas Geissler | Andreas Geissler | Open | Unresolved | Mar 21, 2023 | Mar 21, 2023 | |||
OOM-3149 | The chartmuseum binary download URL not working in OOM deployment | Andreas Geissler | Sankar Palanivel | Open | Unresolved | Mar 09, 2023 | Apr 13, 2023 | |||
OOM-3147 | Create authorization policy for platform | Unassigned | Andrew Lamb | Open | Unresolved | Mar 06, 2023 | Mar 08, 2023 | |||
OOM-3146 | Create authorization policy for Holmes | Unassigned | Andrew Lamb | Open | Unresolved | Mar 06, 2023 | Mar 08, 2023 | |||
OOM-3145 | Create authorization policy for CPS | Unassigned | Andrew Lamb | Open | Unresolved | Mar 06, 2023 | Mar 08, 2023 | |||
OOM-3144 | Create authorization policy for Cassandra | Unassigned | Andrew Lamb | Open | Unresolved | Mar 06, 2023 | Mar 08, 2023 | |||
OOM-3143 | Create authorization policy for Consul | Unassigned | Andrew Lamb | Open | Unresolved | Mar 06, 2023 | Mar 08, 2023 |
Showing 20 out of 103 issues Refresh
Backlog from older meetings (to be cleaned up)
Pending component fixes:
(2023-05-03: No update)
- CDS-UI - CCSDK-3814CDS-UI must be able to listen on HTTP Open → DT /TM has a look
- maybe postpone to M
- SO Monitor - SO-4027Make SO-Service-Monitor ServiceMesh compatible Open → Byung mentioned, that E/// team try to resolve the issue (Byung's note: It was assigned to Viresh Navalli, Capgemini. E/// plans to assist Viresh as needed.)
→ postpone to Montreal - CLI will not work without fix... ( - OOM-3096[CLI] Remove AAF dependency Delivered )
- UUI - not clear if working
Helm chart cleanup: - OOM-2975Remove dependencies on AAF Open
(2023-05-10: No update)
- Common → Andreas
- Platform
- MSB
- VFC
Ingress enhancements for non-HTTP interfaces:
- External Kafka access → https://gerrit.onap.org/r/c/oom/+/133767
- SDNC CallHome (SSH) → part of https://gerrit.onap.org/r/c/oom/+/133861
- Plan to update _ingress.tpl for Gateway-API support and AuthorizationPolicy
Oauth2-proxy setup (Andreas):
(2023-05-03: No update)
- Documentation: Oauth2-Proxy implementation and configuration
- Oauth2-Proxy: https://gerrit.onap.org/r/c/oom/+/130445
- Adding Oauth2-proxy client to ONAP realm: https://gerrit.onap.org/r/c/oom/+/133699
To be started:
(2023-05-03: No update)
- Ingress template improvements:
- Remove unused components:
- MariaDB:
- Remove NodePort in Ingress environments:
- UDP Ingress support:
Others:
(2023-05-03: No update)
- SDC Listener HTTP issue - SDC-4233SDC Distribution Client should work with lower-case Header entries Closed → Marek provided patch → merged, need to be released and can be used in the clients
- When released, all clients need to be updated (CDS, AAI, Policy, SO, ...)
- Create tickets for all clients....
2023-05-31: Discussed presentation to TSC/PTL meeting proposing a new global requirement to rely (exclusively) on service mesh mechanisms for intra-ONAP authentication and authorization (get rid of HTTP basic auth). To be presented to TSC on 2023-06-01.